Open WebUI Vulnerable to Stored Cross-Site Scripting (XSS) via iFrame in Citations Model
An authenticated attacker can achieve stored Cross-Site Scripting (XSS) in Open WebUI by manually modifying chat history requests to inject malicious HTML into citation document metadata, leading to session takeover or potential Remote Code Execution (RCE) on the server if an administrator is targeted.
Open WebUI is vulnerable to a high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-26192, stemming from insecure iFrame rendering in its citation model. An authenticated attacker can exploit this by intercepting and modifying HTTP requests when saving chat history to inject malicious HTML content into document metadata, specifically by adding html: true and embedding an XSS payload. When another user, particularly an administrator, views a citation containing this weaponized document within a shared chat, the vulnerable Open WebUI frontend renders the content in an iFrame with insufficient sandboxing (allow-scripts and allow-same-origin are hardcoded), allowing the XSS payload to execute. This can lead to session hijacking, exfiltration of sensitive information, or, in the case of an administrator, potential server-side Remote Code Execution (RCE) by leveraging other known vulnerabilities. The vulnerability affects pip/open-webui versions prior to 0.7.0.
Attack Chain
- An authenticated attacker logs into Open WebUI and initiates a new chat session.
- The attacker attaches an arbitrary file as a "document source" to the chat.
- While saving the chat history or message, the attacker uses an HTTP proxy tool (e.g., Burp Suite, Caido, ZAP) to intercept the outgoing save request.
- Within the intercepted request's JSON body, the attacker locates the object corresponding to the document source within the
historyandmessagesobjects. - The attacker modifies this object by adding
html: trueto its metadata and injects an XSS payload (e.g.,<script>alert(document.cookie)</script>) into the document content field. - The attacker forwards the modified HTTP request, causing the Open WebUI server to store the malicious chat history with the embedded XSS payload.
- The attacker shares the link to this weaponized chat with a victim user (e.g., via a phishing link).
- When the victim accesses the shared chat and clicks on the malicious document citation, the Open WebUI frontend renders the content in an insecure iFrame, executing the attacker's JavaScript payload in the victim's browser context.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary client-side JavaScript code in the context of the victim's browser session. For low-privilege users, this can lead to session takeover, allowing the attacker to read session tokens from local storage and exfiltrate them to an attacker-controlled server. If an administrator is targeted and views the malicious citation, the XSS payload can be used to bypass security controls and potentially achieve server-side Remote Code Execution (RCE) by chaining with other known vulnerabilities, as described in GHSA-w7xj-8fx7-wfch. This poses a significant risk to the integrity and confidentiality of data within the Open WebUI environment.
Recommendation
- Patch CVE-2026-26192 immediately: Upgrade all Open WebUI installations to version 0.7.0 or newer to mitigate the vulnerability.
- Implement Web Application Firewall (WAF) rules: Configure a WAF to inspect
POSTrequests to chat history save endpoints for unusual modifications like the addition ofhtml: truein JSON bodies, and block requests containing common XSS payload patterns in document content, though this may require product-specific WAF configuration for JSON body inspection. - Educate users on phishing awareness: Warn users about suspicious shared chat links or messages that encourage clicking on document citations from unknown or untrusted sources.